Amendments to the Claims 



Applicants respectfully request reconsideration of this application as amended. 
Claims 1-51 were pending. Claims 1, 6, 13, 15-16, 19, 21-25, and 28-51 have been 
amended. No claims have been added. Claims 12, 14, 18, 20, 43, and 45-46 have been 
canceled without prejudice. Claims 1-11, 13, 15-17, 19, 21-42, 44, and 47-51 remain 
pending. 

Listing of Claims; 

1 . (Currently amended) A method in a network access device comprising: 
without proxying, analyzing each of a stream of packets traversing a single 

connection through the network access device from an external host to a 
protected host; 

forwarding each allowed packet of the stream of packets as long as the connection 
is activ e, wherein forwarding each allowed packet comprises transmitting 
a message indicating that each allowed packet is allowed: and 

if one of the stream of packets is determined to be disallowed by said analyzing, 
then discarding the disallowed packet and terminating the connection, 
causing the protected host to discard those packets received on the 
terminated connection. 

2. (Original) The method of claim 1 wherein analyzing each of the stream of packets 
comprises inspecting a header of each of the stream of packets against a packet filter. 



Attorney's Docket Number 4619.P027 



2 



Appl Ser.No. 10/697,846 



3. (Original) The method of claim 1 wherein analyzing each of the stream of packets 
comprises inspecting a payload of each of the stream of packets for disallowed content. 

4. (Original) The method of claim 3 wherein inspecting the payload of each of the 
stream of packets comprises copying the payload, analyzing the payload, and discarding 
the corresponding packet if the payload is threatening. 

5. (Original) The method of claim 1 fiirther comprising: 

copying a payload from each of a plurality of packets that comprise a file, the 

stream of packets including the plurality of packets; 
forwarding all but the last of the plurality of packets to the protected host; 
reassembling the plurality of packets into the file; 
analyzing the file; 

if the file is a threatening file then discarding the last packet and terminating the 

connection; and 
if the file is non-threatening, then forwarding the last packet. 

6. (Currently amended) A computer implemented method comprising: 
copying a packet payload of each of a plurality of packets received on a single 

connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets; 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

maintaining the connection while analyzing the file, said maintaining comprising 
copying each of the plurality of packets but the last packet before 
forwarding each of the plurality of packets, and 
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holding the last packet and repeatedly forwarding the last copied packet: 
if the file is allowed, then forwarding the last packet to the protected host; and 
if the file is determined to be disallowed, then dropping the last packet and 

terminating the connection. 

7. (Original) The computer implemented method of claim 6 wherein the analyzing 
the file comprises performing anti-virus analysis on the file. 

8. (Original) The computer implemented method of claim 6 further comprising: 
analyzing a header of each of the stream of packets; and 

if one of the stream of packets is determined to be disallowed, then discarding the 
disallowed packet and terminating the connection. 

9. (Original) The computer implemented method of claim 8 wherein analyzing the 
header comprises inspecting addresses indicated in the header against a packet filter. 

10. (Original) The computer implemented method of claim 6 fiirther comprising: 
individually analyzing each of the copied packet payloads; and 

if one of the copied packet payloads is determined to be threatening, then 

discarding the corresponding packet and terminating the connection. 

1 1 . (Original) The computer implemented method of claim 1 0 wherein analyzing 
each of the copied packet payloads comprises inspecting each copied packet payload 
against a list of disallowed content and determining if each copied packet payload 
includes threatening script. 

12. (Canceled). 
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13. (Currently amended) A [[The]] computer implemented method comprising: ef 
claim 12 

copying a packet pavload of each of a pluraUtv of packets received on a single 
connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets: 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet pavloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

maintaining the connection while analyzing the file> wherein maintaining the 
connection comprises: 
decapsulating the last packet's payload[[;]]i 
fi-agmenting the last packet's payload into subparts[[;]]i 
encapsulating each subpart[[;]]i and 
forwarding each subpart until analysis is complete; 

if the file is allowed, then forwarding the last packet to the protected host; and 

if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection . 



14. (Canceled). 



1 5. (Currently amended) The computer implemented method of claim [[12]] 6;, 
wherein maintaining the connection comprises increasing transmission latency of each 
acknowledgement transmitted firom the protected host to the external host imtil the 
analysis is complete. 
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1 6. (Currently amended) A [[The]] computer implemented method comprising: ef 
olaim 6 

copying a packet pavload of each of a plurality of packets received on a single 
connection between an extemal host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets: 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed: 

if the file is allowed, then forwarding the last packet to the protected host, w herein 
forwarding each of the plurality of packets comprises transmitting a 
message indicating that each of the of the plurality of packets is allowed; 
and 

if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection . 



1 7. (Currently amended) A computer implemented method comprising: 
supporting a connection from an extemal host to a protected host; 
analyzing a header of each packet received over the connection from the extemal 
host; 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload; 
analyzing the first packet's payload; 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet; 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host; 
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if said first packet's payload is the last block of a file, then reassembling the first 

packet's payload with a set of one or more previously copied packet 

payloads into the file; 
analyzing the file to determine if the file is allowed or disallowed; 
maintaining the connection while analyzing the file, said maintaining comprising 

copying each of the plurality of packets but the last packet before 
forwarding each of the plurality of packets, and 

holding the last packet and repeatedly forwarding the last copied packet: 
if the file is disallowed then dropping the first packet and terminating the 

connection; and 
if the file is allowed then forwarding the first packet. 

18. (Canceled). 

1 9. (Currently amended) A [[The]] computer implemented method comprising: ef 
claim 1 8 

su pporting a connection fi'om an extemal host to a protected host: 
analyzing a header of each packet received over the connection firom the extemal 
host: 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet: 
if the connection is not terminated, copying the first packet's payload: 

analyzing the first packet's payload: 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet: 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host: 
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if said first packet's payload is the last block of a file, then reassembling the first 
packet's pavload with a set of one or more previously copied packet 
pavloads into the file: 

analyzing the file to determine if the file is allowed or disallowed: 

maintaining the connection while analyzing the file, wherein maintaining the 
connection comprises: 
decapsulating the last packet's payload[[;]]i 
fi-agmenting the last packet's payload into subparts[[;]]4 
encapsulating each subpart[[;]]i and 
forwarding each subpart until analysis is complete; 

if the file is disallowed then dropping the first packet and terminating the 
connection: and 

if the file is allowed then forwarding the first packet . 

20. (Canceled). 

21. (Currently amended) The computer implemented method of claim 17^ [[18]] 
wherein maintaining the connection comprises increasing transmission latency of each 
acknowledgement transmitted fi-om the protected host to the extemal host until the 
analysis is complete. 

22. (Currently amended) The computer implemented method of claim [[6]] 17 
wherein the analyzing the file comprises performing anti-virus analysis on the file. 

23. (Currently amended) The computer implemented method of claim [[8]] 17 
wherein analyzing the header comprises inspecting addresses indicated in the header 
against a packet filter. 
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24. (Currently amended) The computer implemented method of claim [[ 1 0]] l/L 
wherein analyzing the first packet's pavload oaoh of tho copied paolcot pgyloado 
comprises inspecting the first packet's oaoh copied pack e t payload against a list of 
disallowed content and determining if the first packet's each copied packet payload 
includes threatening script. 

25. (Currently amended) An apparatus comprising: 

a forwarding module to forward packets of a datastream along a connection 
between a protected host and an external host; and 

a datastream analysis module coupled with the forwarding module, the datastream 
analysis module to analyze each of the packets to determine if each of the 
packets are allowed or disallowed and to terminate the connection upon 
determining one of the packets to be disallowed and to discard the 
disallowed packet, causing the protected host to discard packets received 
on the terminated connection prior to the disallowed packe t, wherein the 
forwarding module is operable to maintain the connection while the 
analysis module is analyzing the packets bv copying each of the packets 
but the last packet before forwarding each of the packets, and holding the 
last packet and repeatedly forwarding the last copied packet . 

26. (Original) The apparatus of claim 25 further comprising a memory to store each 
of the packets until forwarded or discarded. 

27. (Original) The apparatus of claim 25 fiirther comprising a memory coupled with 
the datastream analysis module, the memory to store copies of each of the packets' 
payloads. 
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28 . (Currently amended) A maohin e r e adable medium physical machine-accessible 
storage medium t hat provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 

without proxying, analyzing each of a stream of packets traversing a single 

connection through the network access device from an extemal host to a 
protected host; 

forwarding each allowed packet of the stream of packets as long as the connection 
is activ e, wherein forwarding each allowed packet comprises transmitting 
a message indicating that each allowed packet is allowed ; and 

if one of the stream of packets is determined to be disallowed by said analyzing, 
then discarding the disallowed packet and terminating the connection, 
causing the protected host to discard those packets received on the 
terminated connection. 

29. (Currently amended) The machine r e adabl e medium physical machine-accessible 
storage medium o f claim 28 wherein analyzing each of the stream of packets comprises 
inspecting a header of each of the stream of packets against a packet filter. 

30. (Currently amended) The machine r e adabl e m e dium physical machine-accessible 
storage medium o f claim 28 wherein analyzing each of the stream of packets comprises 
inspecting a payload of each of the stream of packets for disallowed content. 

3 1 . (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim 30 wherein inspecting the payload of each of the stream of 
packets comprises copying the payload, analyzing the payload, and discarding the 
corresponding packet if the payload is threatening. 
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32. (Currently amended) The machine r e adabl e m e dium physical machine-accessible 
storage medium o f claim 28 further comprising: 

copying a payload from each of a plurality of packets that comprise a file, the 

stream of packets including the plurality of packets; 
forwarding all but the last of the plurality of packets to the protected host; 
reassembling the plurality of packets into the file; 
analyzing the file; 

if the file is a threatening file then discarding the last packet and terminating the 

connection; and 
if the file is non-threatening, then forwarding the last packet. 

33. (Currently amended) A machin e roadablo medium physical machine-accessible 
storage medium t hat provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 

copying a packet payload of each of a plurality of packets received on a single 
connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets; 

forwarding all but the last of the plurality of packets to the protected hos t, wherein 
forwarding each of the plurality of packets comprises transmitting a 
message indicating that each of the of the plurality of packets is allowed : 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

if the file is allowed, then forwarding the last packet to the protected host; and 

if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection. 
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34. (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim 33 wherein the analyzing the file comprises performing anti- 
virus analysis on the file. 

3 5. (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim 33 further comprising: 

analyzing a header of each of the stream of packets; and 

if one of the stream of packets is determined to be disallowed, then discarding the 
disallowed packet and terminating the connection. 

36. (Currently amended) The machin e readable medium physical machine-accessible 
storage medium o f claim 35 wherein analyzing the header comprises inspecting addresses 
indicated in the header against a packet filter. 

37. (Currently amended) The machin e r e adabl e medium physical machine-accessible 
storage medium o f claim 33 fiirther comprising: 

individually analyzing each of the copied packet payloads; and 

if one of the copied packet payloads is determined to be threatening, then 

discarding the corresponding packet and terminating the connection. 

38. (Currently amended) The machin e r e adable medium physical machine-accessible 
storage medium of claim 37 wherein analyzing each of the copied packet payloads 
comprises inspecting each copied packet payload against a list of disallowed content and 
determining if each copied packet payload includes threatening script. 
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39. (Currently amended) The machin e readable medium physical machine-accessible 
storage medium o f claim 33 further comprising maintaining the connection while 
analyzing the file. 

40. (Currently amended) Th e machin e r e adabl e m e dium A physical machine- 
accessible storage medium that provides instructions, which when executed by a set of 
one or more processors, cause said set of processors to perform operations comprising: ef 
claim 39 

copying a packet payload of each of a plurality of packets received on a single connection 
between an external host and a protected host that carries a stream of packets the 
stream of packets including the plurality of packets: 

forwarding all but the last of the plurahtv of packets to the protected host: 

reassembling the copied packet payloads into a file: 

analyzing the file to determine if the file is allowed or disallowed: 

maintaining the connection while analyzing the file, wherein maintaining the connection 
comprises: 

decapsulating the last packet's payload[[;]]4 

fi-agmenting the last packet's payload into subparts[[;]]i 

encapsulating each subpart[[;]]^ and 

forwarding each subpart until analysis is complete; 
if the file is allowed, then forwarding the last packet to the protected host: and 
if the file is determined to be disallowed, then dropping the last packet and terminating 

the connection . 

4 1 . (Currently amended) Th e machin e r e adabl e m e dium A physical machine- 
accessible storage medium that provides instructions, which when executed by a set of 
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one or more processors, cause said set of processors to perform operations comprising: ef 
claim 39 

copying a packet pavload of each of a plurality of packets received on a single connection 

between an external host and a protected host that carries a stream of packets the 

stream of packets including the plurality of packets: 
forwarding all but the last of the plurality of packets to the protected host: 

reassembling the copied packet pavloads into a file; 

analyzing the file to determine if the file is allowed or disallowed: 
maintaining the connection while analyzing the file, wherein maintaining the connection 

comprises: 

copying each of the plurality of packets but the last packet before forwarding each 

of the plurality of packets[[;]]i and 
holding the last packet and repeatedly forwarding the last copied packet; 
if the file is allowed, then forwarding the last packet to the protected host: and 
if the file is determined to be disallowed, then dropping the last packet and 

terminating the connection , 

42. (Currently amended) The machine r e adabl e m e dium physical machine-accessible 
storage medium of claim 39 wherein maintaining the connection comprises increasing 
transmission latency of each acknowledgement transmitted fi^om the protected host to the 
extemal host until the analysis is complete. 

43. (Canceled). 

44. (Currently amended) A machin e roadablo medium physical machine-accessible 
storage medium t hat provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 
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supporting a connection from an external host to a protected host; 
analyzing a header of each packet received over the connection from the external 
host; 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload; 
analyzing the first packet's payload; 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet; 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host; 
if said first packet's payload is the last block of a file, then reassembling the first 

packet's payload with a set of one or more previously copied packet 

payloads into the file; 
analyzing the file to determine if the file is allowed or disallowed; 
maintaining the connection while analvzing the file, said maintaining comprising 

decapsulating the last packet^s pavload, 

fragmenting the last packet's pavload into subparts, 

encapsulating each subpart, and 

forwarding each subpart until analvsis is complete: 
if the file is disallowed then dropping the first packet and terminating the 

connection; and 
if the file is allowed then forwarding the first packet. 

45. (Canceled). 

46. (Canceled). 
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47. (Currently amended) The machin e r e adabl e m e dium A physical machine- 
accessible storage medium that provides instructions, which when executed by a set of 
one or more processors, cause said set of processors to perform operations comprising: ef 
claim 15 

su pporting a connection from an external host to a protected host: 
analyzing a header of each packet received over the connection from the extemal 
host: 

terminating the cormection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet: 
if the connection is not terminated, copying the first packet's pavload: 
analyzing the first packet's payload: 

terminating the connection if said first packet's pavload is determined to be 

disallowed and discarding the first packet: 
if the cormection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host: 
if said first packet's pavload is the last block of a file, then reassembling the first 

packet's payload with a set of one or more previously copied packet 

pavloads into the file: 
analyzing the file to determine if the file is allowed or disallowed: 
maintaining the connection while analyzing the file, w herein maintaining the 

connection comprises: 

copying each of the plurality of packets but the last packet before 

forwarding each of the plurality of packets[[;]]i and 
holding the last packet and repeatedly forwarding the last copied packet; 
if the file is disallowed then dropping the first packet and terminating the 
connection: and 
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if the file is allowed then forwarding the first packet . 

48. (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim [[45]] 44^ wherein maintaining the connection comprises 
increasing transmission latency of each acknowledgement transmitted from the protected 
host to the external host until the analysis is complete. 

49. (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim [[33]] 44 wherein the analyzing the file comprises performing 
anti-virus analysis on the file. 

50. (Currently amended) The machin e r e adable medium physical machine-accessible 
storage medium o f claim [[35]] 44 wherein analyzing the header comprises inspecting 
addresses indicated in the header against a packet filter. 

5 1 . (Currently amended) The machin e r e adabl e m e dium physical machine-accessible 
storage medium o f claim [[37]] 44 wherein analyzing the first packet's payload e aeh-ef 
the copied packet payloads comprises inspecting the first packet's e ach copi e d pack e t 
payload against a list of disallowed content and determining if the first packet's e aeb 
copied packet payload includes threatening script. 
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